Article Content

Article Number

000024731

Applies To

RSA ClearTrust 5.5.2Microsoft Windows 2000 SP4

Issue

Smart Rule mapping for Boolean Expression in RSA ClearTrustIf the boolean expression is incorrectly translated into Smart Rule operators, some users may incorrectly be able to access the ClearTrust-protected resource contents, while others may receive the ct_access_denied.html page

Cause

This is to provide some clear definitions of the mapping between boolean expressions (AND, OR) with ClearTrust Smart Rule operators (DENY, ALLOW, REQUIRE)

Resolution

Given the access control is to allow users access to ClearTrust-protected resources if "(d AND e) OR c" evaluates to TRUE. c, d, and e are the certain conditions that must be met (e.g. <user attribute name>=<specific value>, for instance - Age > 21).

First, set up a protected resource and a user who has no entitlement to this resource, but will have access based solely on smart rules.

Then, create an application within ClearTrust to house the protected resource. The application itself is set for Allow access when policy conflict occurs. The protected resource is also set for Allow access when policy conflict occurs. This setting governs that Allow rules will be evaluated before any Deny rules.

Next, set up 3 rules:

ALLOW if condition c is true

REQUIRE d=meets some specific condition

REQUIRE e=meets some other specific condition

NOTE: With the Allow access when policy conflict occurs setting, the ALLOW rule is executed first and functions as the OR operator. If the c condition is true, there is no need to process the other rules and access is granted. If the c condition is false, the REQUIRE rules are executed next.

With respect to REQUIRE rules, all such rules must evaluate to true for the overall value to be true, whereas if one of the REQUIRE rules evaluates to false, there is no need to process the remaining REQUIRE rules and the overall result is false. The REQUIRE rule operates as the AND operator.